2021-11-05 07:06:08 -07:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
let
|
|
|
|
|
hostname = config.instance.hostname;
|
|
|
|
|
has-attrs = set: length (attrNames set) > 0;
|
|
|
|
|
read-lines = filename: splitString "\n" (fileContents filename);
|
|
|
|
|
has-secret-files = hasAttr "files" config.fudo.secrets;
|
|
|
|
|
|
|
|
|
|
in {
|
2023-05-16 22:40:08 -07:00
|
|
|
config = mkIf has-secret-files (let
|
|
|
|
|
host-keypairs =
|
|
|
|
|
if (hasAttr hostname config.fudo.secrets.files.ssh.host-keypairs) then
|
|
|
|
|
config.fudo.secrets.files.ssh.host-keypairs.${hostname}
|
|
|
|
|
else
|
|
|
|
|
[ ];
|
2021-11-05 07:06:08 -07:00
|
|
|
|
2023-05-16 22:40:08 -07:00
|
|
|
in {
|
|
|
|
|
fudo = let
|
|
|
|
|
sshfp-filename = host: keypair:
|
|
|
|
|
"ssh-${host}-${keypair.key-type}.sshfp-record";
|
|
|
|
|
|
|
|
|
|
dns-sshfp-records = host: keypair:
|
|
|
|
|
pkgs.stdenv.mkDerivation {
|
|
|
|
|
name = "${host}-sshfp-records";
|
|
|
|
|
|
|
|
|
|
phases = [ "installPhase" ];
|
|
|
|
|
|
|
|
|
|
buildInputs = with pkgs; [ openssh ];
|
|
|
|
|
|
|
|
|
|
installPhase = ''
|
|
|
|
|
ssh-keygen -r REMOVEME -f "${keypair.public-key}" | sed 's/^REMOVEME IN SSHFP //' > $out'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
host-cfg = config.fudo.hosts.${hostname};
|
2021-11-05 07:06:08 -07:00
|
|
|
in {
|
2023-05-16 22:40:08 -07:00
|
|
|
secrets.host-secrets.${hostname} = listToAttrs (map (keypair:
|
|
|
|
|
nameValuePair "host-${keypair.key-type}-private-key" {
|
|
|
|
|
source-file = keypair.private-key;
|
|
|
|
|
target-file =
|
|
|
|
|
"/run/openssh/private/host-${keypair.key-type}-private-key";
|
|
|
|
|
user = "root";
|
|
|
|
|
}) host-keypairs);
|
|
|
|
|
|
|
|
|
|
hosts = mkIf (hasAttr "files" config.fudo.secrets) (mapAttrs
|
|
|
|
|
(hostname: keypairs: {
|
|
|
|
|
ssh-pubkeys = map (keypair: keypair.public-key) keypairs;
|
|
|
|
|
ssh-fingerprints = concatMap (keypair:
|
|
|
|
|
let fingerprint-derivation = dns-sshfp-records hostname keypair;
|
|
|
|
|
in read-lines "${fingerprint-derivation}") keypairs;
|
|
|
|
|
}) config.fudo.secrets.files.ssh.host-keypairs);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.openssh.hostKeys =
|
|
|
|
|
let host-secrets = config.fudo.secrets.host-secrets."${hostname}";
|
2021-11-13 10:30:58 -08:00
|
|
|
in map (keypair: {
|
2023-05-16 22:40:08 -07:00
|
|
|
path = host-secrets."host-${keypair.key-type}-private-key".target-file;
|
2021-11-05 07:06:08 -07:00
|
|
|
type = keypair.key-type;
|
|
|
|
|
}) host-keypairs;
|
2023-05-16 22:40:08 -07:00
|
|
|
});
|
2021-11-05 07:06:08 -07:00
|
|
|
}
|
